Ken Felix Security Blog: August 2018

Friday, August 31, 2018

forcepoint API

In my day job I have support cases for host of issues. Here's is a short blog of some basic Forcepoint NGFW API information. 1st the API interface is simple to enable on the SMC MgtServer under the server "properties" settings.

Here, I've have selected the port 8080 from the default 8082 and enabled the API
You do NOT need to reboot the MgtServer

You will need a API client-user define ( the standard admin_users are not API users ). After you have crafted a API client a authenticationkey will be display ( it's critical that you record that key , you will not see it again ).

To login, the API needs the key and provided via a http.request.method POST in a simple call

curl -k -v -d '{"authenticationkey":"n7d3hj3k39l@se3ydieke"}' -H "Content-Type: application/json" -X POST https://mysmcserver.socpuppets.com:8080/login

If the key was correct, you should receive a status. response 200 and the SMC console will show the user logged on as a status "online"

The logout is similar but uses the http.request.method PUT

curl -k -v -d '{"authenticationkey":"n7d3hj3k39l@se3ydieke"}' -H "Content-Type: application/json" -X PUT https://mysmcserver.socpuppets.com:8080/login

To discovery entry points you can use the API discovery at or whatever services port you have enabled

https://x.x.x.x:8080/api

example

As you can clearly see we have 5.10, 6.2, 6.3 support for this SMC v 6.3.8 . You can call these versions up to see what entries are allowed

{output truncated }

You can request various entry points by issuance of a http.request.method GET

examples to follow below.

When constructing POST I prefer json structure of a KEY and Attribute Value

e.g

{ "name":"the_name_here", "address":"1.1.1.1"}

NOTE: ensure you set the application type as json if your using json, xml is also supported.

Keep in mind the API client access is controlled by the role you define for the account

When initial login, you need to be aware that the JSESSSIONID cookie value is used for admin.session tracking with HTTP. With HTTPS you can use the cookie or SSLsession for tracking

Here's a few basic API examples

and yes the API supports IPv6

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Thursday, August 30, 2018

Y2038 unix time

Y2038 "Time is on my side, yes it is "

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Saturday, August 25, 2018

Papertrails for audit

In this blog I will do a short demo for papertrails & for raising a log alert events triggers from a PANOS firewall. Papertrails is a cloud logging services.

https://papertrailapp.com/

The services ofefrs a low to high cloud storage options, and even free trials.

The portal is simple for crafting a new logging source for the allocated destinations.

Keep in mind you can have multiple log.destinations and use a mix of UDP TCP or TLS

To craft events, just use the string that your looking for from the logging source

Here's a breakdown of a config change event that triggers the sending of a email.

NOTE: You can use hitech bridge to analyzer the TLS server component if your having issues establishing TLS just grab the CAfile https://papertrailapp.com/tools/papertrail-bundle.pem

https://www.htbridge.com/ssl/

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Saturday, August 18, 2018

Here's a few of the NGFW offerings in the advance world of security

CiscoASA Firepower
Sophos XG
Juniper SRX
Fortinet Fortigate
Palo Alto PAN series
Zscaler CloudFW
Forcepoint NGFW stonegate

What makes a NGFW

Application Awareness
User Identification
SSL inspections
DeepPacket Inspections
Advance logging and alerting
Threat and intelligence

https://en.wikipedia.org/wiki/Next-generation_firewall
http://www.nextgenfw.com/

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Friday, August 17, 2018

Forcepoint NGFW router dynamic

The forcepoint routing is all driven via Quagga , and supports OSPF/BGP for dynamic routing protocols.

The NGFW requires you manually execute the DYNAMIC routing templates and then you can configure the route aspects after selecting the template(s)

Here's a WebGUI of a bgp-configuration

The legacy vtysh cmd is used to access the quagga engine

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Tuesday, August 14, 2018

ssllab and exmple.com | org| net

SSLLAB does not analyze these two websites www.example.com and www.example.net / www.example.org

But rest assure you can call up any of the other the AltName for testing the site to get by the test restriction.

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

TLS 1.3 mitm testing from cloudflare

The following link supports a TLS 1.3 MiTM test checker https://tls13.mitm.watch/

The results and test identifier is listed in the output;

test1

Here's the same test when I have re-enabled my TLS decryption device on my network that does not support TLS v1.3

test2

So keep in mind for the 2nd test , I have the same ; host ( browser ) , the same network, but the TLS inspection device does not support TLS v1.3.

NOTE: if you suspect a MiTM device is inspecting your TLS traffic confirm the cert issuer for the web-server . Reference how to use "crt.sh" to find all listed issues for website certificates that are using known public CAs. If your issues string does NOT match the listed string in "crt.sh" , than a MiTM device is installed and probably decrypting. This is why SSL/TLS does not really mean your 100% protected, since the average end-users see a padlock and think they are secured. A MiTM device could be plant in between you and the web-site and unless you know what to look at and look for, you would have no clue.

http://socpuppet.blogspot.com/2017/10/howto-find-certificate-issued-against.html

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

maildomain checker tool

Openssl is used for webserver and websites for analyzing SSL/TLS. But luxsci is used for mail systems. Here's a few screenshots for maildomain socpuppets that's hosted by godaddy

https://luxsci.com/smtp-tls-checker

This online tool is great for when you need simple to understand results and need to analyze TLS/SSL issues regarding mail.

Other tools that I have mention a few years back are also great

http://socpuppet.blogspot.com/2016/11/tls-for-smtp-how-do-we-check-if-our.html

NOTE: They { luxsci } has a HIPAA secure email solution that works great. This allows for selective delivery of email and mets HIPAA compliance.

https://luxsci.com/hipaa-compliant-email-encryption

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Monday, August 13, 2018

DSN check-name and how to analze

Here's a quick burb about dns and names and syntax. A work associate ran into this issue today and I figure I would explain a few items.

With most bind deployments if you have a "underscore" in the name and do not specifically set check-names ignore , the bind daemon will balk and failed to load the domain zone.

Bind is user friendly and will tell why and where in the file the error is located at . Here it's line #13 and on line #13 I have the following entry that I crafted for this example.

So that's a quick means for finding the error and now in order to get the domain load, you need to enable check-names ignore ( the other options are fail and warn )

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \